Break gate chain for forbidden abilities

src/Clipboard.php

@@ -33,6 +33,11 @@ public function registerAt(Gate $gate)
             if ($id = $this->checkGetId($authority, $ability, $model)) {
                 return $this->allow('Bouncer granted permission via ability #'.$id);
             }
+
+            // If the response from "checkGetId" is "false", then this ability
+            // has been explicity forbidden. We'll return false so the gate
+            // doesn't run any further checks. Otherwise we return null.
+            return $id;
         });
     }
 
@@ -81,7 +86,7 @@ public function check(Model $authority, $ability, $model = null)
      * @param  \Illuminate\Database\Eloquent\Model  $authority
      * @param  string  $ability
      * @param  \Illuminate\Database\Eloquent\Model|string|null  $model
-     * @return int|bool
+     * @return int|bool|null
      */
     protected function checkGetId(Model $authority, $ability, $model = null)
     {
@@ -98,11 +103,9 @@ protected function checkGetId(Model $authority, $ability, $model = null)
             return false;
         }
 
-        $allowedId = $this->findMatchingAbility(
+        return $this->findMatchingAbility(
             $this->getAbilities($authority), $applicable, $model, $authority
         );
-
-        return $allowedId ?: false;
     }
 
     /**

tests/ForbidTest.php

@@ -132,4 +132,19 @@ public function test_forbidding_an_ability_when_everything_is_allowed()
         $this->assertTrue($bouncer->allows('create', Account::class));
         $this->assertTrue($bouncer->denies('create', User::class));
     }
+
+    public function test_forbidding_an_ability_stops_all_further_checks()
+    {
+        $bouncer = $this->bouncer($user = User::create())->dontCache();
+
+        $bouncer->define('sleep', function () {
+            return true;
+        });
+
+        $this->assertTrue($bouncer->allows('sleep'));
+
+        $bouncer->forbid($user)->to('sleep');
+
+        $this->assertTrue($bouncer->denies('sleep'));
+    }
 }